Quick summary

  • Phase 2 of CMMC begins November 10, 2026, when DoD contracting officers can require Level 2 C3PAO certifications as a condition of award.
  • DOJ recovered $51.8 million across eight cyber-related False Claims Act settlements in FY 2025, a 233% increase over 2024.
  • The MORSECORP $4.6M settlement is the template: contractors who submit inflated SPRS scores and fail to update them face FCA exposure.
  • The C3PAO assessor backlog is real. Contractors who wait until October 2026 to start looking will not get assessed in time.
  • This article walks through the six operational steps a small or mid-tier defense contractor should complete before the deadline.
Horizontal timeline of the four CMMC implementation phases: Phase 1 begins November 10, 2025 with self-assessment discretion; Phase 2 begins November 10, 2026 with C3PAO certification requirements; Phase 3 begins November 10, 2027 with Level 3 / DIBCAC for sensitive contracts; Phase 4 begins November 10, 2028 with full enforcement. Today is May 20, 2026, approximately six months before Phase 2.
The CMMC rollout in four phases. Phase 2 — when C3PAO certifications become a condition of award — is six months away.

What Phase 2 Actually Changes

On September 10, 2025, the Department of Defense published the final rule amending the DFARS to implement the Cybersecurity Maturity Model Certification program. The rule took effect November 10, 2025, kicking off a four-phase rollout.

Phase 1 is the year we are in now. Through November 10, 2026, contracting officers have discretion to require Level 1 or Level 2 self-assessments on applicable contracts. For most contractors, this looks similar to the NIST 800-171 self-attestation regime that existed under DFARS 252.204-7012.

Phase 2 changes that. Starting November 10, 2026, DoD solicitations and contracts can require Level 2 certifications issued by a Certified Third-Party Assessment Organization (C3PAO). Self-attestation is no longer the default for contractors handling Controlled Unclassified Information. The contracting officer’s discretion shifts from “you can self-assess” to “you must produce a current C3PAO certificate.”

Two operational realities follow from this.

First, there is no grace period for new bidders. A contractor that wins an award under a solicitation requiring CMMC Level 2 certification must have that certification at the time of award. Not “in progress.” Not “scheduled.” Certified.

Second, the requirement applies all the way down the supply chain. If you are a prime contractor with CUI flow-down obligations, your subcontractors need the same certification level you do. If you are a subcontractor, the prime is going to ask before they sign.

Why This Is Not Just Another Compliance Deadline

CMMC is not the only thing that changed in 2025. The DOJ’s enforcement posture on cyber compliance accelerated in parallel.

On January 16, 2026, the DOJ announced that False Claims Act settlements and judgments exceeded $6.8 billion in fiscal year 2025, the largest single-year recovery in FCA history. Within that figure, cyber-related settlements alone totaled approximately $51.8 million across eight cases — a 233% increase over the four cyber settlements that totaled $15.5 million in 2024.

Bar chart comparing DOJ cyber-related False Claims Act settlements. FY 2024: $15.5 million across 4 settlements. FY 2025: $51.8 million across 8 settlements. The year-over-year increase is 233%. Source: U.S. Department of Justice FY 2025 False Claims Act recoveries, announced January 16, 2026.
DOJ cyber-related False Claims Act settlements jumped from $15.5M in FY 2024 to $51.8M in FY 2025 — a 233% increase, with double the case count.

The cases share a pattern: contractors who certified compliance with NIST 800-171 or DFARS 252.204-7012, took the contract revenue, and later turned out not to have implemented the controls they claimed.

The most cited example is MORSECORP, Inc. On March 25, 2025, the Cambridge, Massachusetts defense contractor agreed to pay $4.6 million to resolve allegations that it violated the False Claims Act in its contracts with the Army and Air Force. The case was brought as a qui tam action by MORSE’s own head of security and facility security officer, who received a whistleblower share of $851,000 (18.5% of the settlement).

The settlement included four specific admissions:

  1. Use of unsecure third-party email hosting for sensitive government information
  2. Failure to implement NIST SP 800-171 cybersecurity controls
  3. Lack of a consolidated written system security plan (SSP)
  4. Failure to update and correct its self-assessment score in the Supplier Performance Risk System (SPRS) until after receiving a federal subpoena

That fourth admission is the one that should make every CMMC-eligible contractor read twice. MORSECORP did not just submit an inaccurate SPRS score — they learned from a third-party cybersecurity consultant that their score was wrong, and they delayed updating it. The DOJ treated that delay as fraud.

Three other settlements from the same window reinforce the pattern:

In December 2025, the DOJ added a precision machining subcontractor settlement — the first to reach a small supplier in the defense supply chain, brought by a former quality control manager as a qui tam relator.

The signal is clear: as Phase 2 turns self-attestation into a smaller piece of the CMMC compliance picture, the legal exposure from misrepresenting the part that remains is growing.

Get the full self-assessment walkthrough. The CMMC 2.0 Compliance Survival Guide workbook ($39) includes a worked example of an honest SPRS scoring exercise, an SSP template, and a POA&M format built for small defense contractors. It is the resource designed for contractors who need to do this work without hiring an external consultant.

The C3PAO Backlog Problem

There is a practical bottleneck most contractors are underestimating.

The CMMC Accreditation Body (Cyber AB) authorizes C3PAOs, the private firms qualified to conduct Level 2 third-party assessments. As of early 2026, the number of authorized C3PAOs is in the low double digits relative to a defense industrial base of roughly 220,000 companies. Even if only a fraction of those companies handle CUI and need Level 2 certification, the assessor supply will not stretch to cover everyone who waits until Q3 2026 to start.

A C3PAO Level 2 assessment is not a one-week engagement. The realistic timeline from initial scoping to certificate issuance, assuming the contractor’s environment is ready, runs three to six months. If the assessment uncovers gaps requiring a Plan of Action and Milestones (POA&M), conditional status is allowed for up to 180 days while deficiencies are closed.

Contractors who want a Level 2 certificate in hand by November 10, 2026 should be in conversation with a C3PAO no later than June 2026. That is six weeks from now.

The Six-Step Phase 2 Readiness Checklist

Here is what a small-to-mid-tier defense contractor should be doing between now and November 10, 2026.

Step 1: Verify your scope

Identify which of your systems process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This determines whether you need Level 1 (FCI only) or Level 2 (CUI).

Two specific actions:

If your DD-254 or contract describes the data as CUI, you are in Level 2 territory by default. Self-assessment may still apply in Phase 1 at contracting officer discretion, but Phase 2 will require certification.

Step 2: Read your current SSP against NIST 800-171 Rev. 2

CMMC Level 2 maps to the 110 security controls in NIST SP 800-171 Rev. 2. (Note: NIST published Rev. 3 in May 2024, but CMMC continues to reference Rev. 2.)

Pull your current System Security Plan and go through each control family:

For each control, ask: do we have a documented implementation, and would a third-party assessor be able to verify it from the artifacts we have on hand?

The MORSECORP case included admission of failure to maintain a consolidated written SSP. Multiple draft documents, undated policy fragments, and a network diagram from 2021 do not constitute an SSP for assessment purposes.

Step 3: Reconcile your SPRS score with reality

Log into SPRS. Pull your current Basic Assessment score.

Now compare that score against what your current SSP and implementation actually support. If the gap is more than a few points, you have a MORSECORP problem.

The DOJ has now established that knowingly leaving an inflated SPRS score in place after learning it is wrong is treated as fraud. Update the score. Document when you updated it and why. Keep the evidence.

This is the single highest-leverage step a contractor can take in the next 90 days. It is also the cheapest.

Step 4: Build the POA&M for whatever is not in place

For any of the 110 controls not currently implemented, you need a Plan of Action and Milestones. CMMC Phase 2 allows conditional certification for up to 180 days while POA&M items are closed.

Not every control is POA&M-eligible. Certain high-weight controls must be in place at the time of assessment — POA&M is not an option for those. Your C3PAO will tell you which ones, but practical examples include multi-factor authentication on privileged accounts and audit log generation.

A workable POA&M format includes, for each open item: the specific control, the gap, the planned remediation, the owner, the target date, and the resources required.

Step 5: Start the C3PAO conversation now

Reach out to two or three authorized C3PAOs in the next month. Ask:

The goal of this step is not to sign a contract today. It is to establish enough relationships that when you are ready to assess, you have options. A contractor with three C3PAO conversations underway has leverage. A contractor cold-calling C3PAOs in September 2026 has none.

Step 6: Build the annual affirmation process

Phase 2 introduces a new operational requirement: annual affirmation of continuous compliance. The final rule’s definition of “current” CMMC status requires contractors to confirm there have been no changes in compliance since certification was achieved.

In practice, this means:

Skipping this step does not just create a future compliance gap. The “current” definition is what creates ongoing False Claims Act exposure between certification cycles.

What This Looks Like for a 30-Person Defense Subcontractor

The contractor profile that sees the most stress in Phase 2 is the small DoD subcontractor — under 50 employees, $2M to $20M in revenue, handling CUI on behalf of a larger prime.

For a firm this size, a realistic Phase 2 prep program looks like:

The contractors that will struggle most are the ones still treating CMMC as a checkbox the IT team will handle. It is not. It is a question of whether your business remains eligible to bid on DoD work after November 10, 2026.

The Bottom Line

Phase 2 is six months out. The DOJ has spent the last 18 months demonstrating that they are willing to pursue False Claims Act cases against contractors who misrepresent cybersecurity compliance, with settlements ranging from $1.25 million to $11.25 million and supply-chain subcontractors now in scope.

Contractors who have not started Phase 2 readiness work are not behind by a few weeks. They are running out of time to complete the assessment cycle before the deadline, and they are sitting on whatever SPRS score gap they have not yet corrected.

The single best thing a defense contractor can do in the next 30 days: pull the current SPRS score, compare it honestly against the current SSP and implementation, and update it if it is wrong. Document the update. That one step would have prevented the largest line item in the MORSECORP settlement.

The rest of the checklist follows from there.

For contractors who want the underlying control-by-control implementation guidance, the NIST 800-171 for Small Defense Contractors book ($9.99 Kindle / $47 paperback on Amazon) is the plain-English implementation guide to the 110 controls, written for firms without a dedicated security team. The companion CMMC 2.0 Compliance Survival Guide workbook ($39) is the operational toolkit for running the readiness program described above.

Sources

  1. DoD Final Rule, DFARS CMMC Implementation, published September 10, 2025, effective November 10, 2025
  2. U.S. Department of Justice, Office of Public Affairs, “Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations,” March 25, 2025
  3. DOJ Press Release on FY 2025 False Claims Act recoveries, January 16, 2026
  4. Remarks of Deputy Assistant Attorney General Brenna Jenny, American Conference Institute Advanced Forum on False Claims and Qui Tam Enforcement, January 28, 2026
  5. NIST SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
  6. 32 CFR Part 170 (CMMC Program Rule, December 26, 2024)
  7. DFARS 252.204-7021 (CMMC Requirement Clause)